This detection rule focuses on identifying login events related to Microsoft Office 365 (O365), particularly aimed at spotting potential threats associated with the threat actor group known as Lapsus$. The logic retrieves O365 login data and evaluates login events based on specified conditions such as login failures, initial authentication attempts, and successful logins. The data is sourced from Office 365 audit logs and includes various user-related information such as usernames, IP addresses, and geographic location of access attempts. The rule categorizes outcomes as either 'success' or 'failure' based on the presence of logon errors. It employs an event grouping mechanism to aggregate login events by user and source IP over a 10-minute window, enhancing the detection capabilities of simultaneous or rapid access attempts from a single location. This approach aligns with several MITRE ATT&CK techniques related to valid accounts and privilege escalation, indicating a focus on detecting unauthorized access patterns that may exploit valid user accounts.